Suiche has been a speaker at various security conferences such as PacSec, BlackHat USA, EUROPOL High Tech Crime Meeting, Shakacon etc. Prior to starting MoonSols in 2010, he worked for companies such as E.A.D.S. (European Aeronautic Defense and Space Company) and the Netherlands Forensics Institute of the Dutch Ministry of Justice.

What motivates you to find security vulnerabilities?

Most of the time, the main purpose is not to find security vulnerabilities but to understand how a module or a piece of code works — either to be able to use it or to improve it. There are enough people looking for security vulnerabilities or doing software QA for free or in multi-billion dollar companies, I don’t think the industry really needs me for that. :)

What are the primary tools you use, and how do you use them?

Most of my tools are like most other people’s: IDA because it’s a powerful disassembler with a powerful framework, Visual Studio as a compiler, either Microsoft WinDbg or OllyDbg for debugging purposes. Especially WinDbg, which is really helpful on several fields from crash dumps analysis to live debugging sessions like I do with MoonSols LiveCloudKd that makes it possible to open the physical memory of a running Microsoft Hyper-V Windows virtual machine as Microsoft full memory crash dump.

How do you choose your target of investigation? Do you pick your target application and look for bugs, or look for a genre of bug in many different applications?

Most of the time, if it’s not a kernel module, I won’t be interested in looking at it. And the numbers of interesting kernel modules is not that big so it makes things easier. Basically, it’s been known for several years that Microsoft win32k.sys kernel module is the perfect target for kernel bugs in Windows.

How do you handle disclosure? Which vendors have been good to work with and which have not?

Hum, that’s a very wide question. Microsoft has been pretty good, they usually have a pretty good relationship with researchers — I’ve never dealt with RIM but I can tell that their Program Managers have a really good relationship with researchers too.

What are you working on currently?

I spend most of my time working on an application to monitor Microsoft Hyper-V virtual machines from the host. Basically, to retrieve any information related to processes, dlls, objects, handles, kernel modules and kernel structures that can be useful for troubleshooting but also for incident response or malwares detection.

What do you think is the biggest challenge facing InfoSec as an industry?

The biggest challenge of InfoSec is still the people, from end-users to the CISO. Most of the time, people don’t even understand what security really is. The example of Sony is pretty meaningful, they got hacked and they’re probably gonna lose billions. They started to look for “Security People” and if you read the job offer it’s pretty ridiculous. The required skills were basically; Nessus, “Intermediate level of dev exp with one of the web languages such as PHP, .NET, JAVA, HTML, Perl, Python, Ruby on Rails etc is required” and last but not least “Knowledge of SANS Top 25 and OWASP Top 10 vulnerabilities.” This is just a shame. I didn’t even mention that it was a “Senior” position — Here is the link if you want to check by yourself http://www.careerbuilder.com/JobSeeker/Jobs/JobDetails.aspx?job_did=J3F4GV6PLHHGXQC9WWF

What what do you see as the biggest changes in computer forensics in the past few years?

The general interest for computer forensics and incident response had definitely increased in the past few years, like it did with computer security. People start to understand slowly that security is important, especially because everybody is using it daily either from their laptops or their cellphones.

How can computer forensics be used offensively?

In the case of physical memory forensic expertise, this knowledge can be applied to hiding pieces of code efficiently in memory, and also how to inject code with precision in virtual machines from the host. For instance, that could be used for mass infection of virtual machines.

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

3 × 3 =

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

Why Take This Training?

How will you fund your training?

What is your training budget?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam